• Request consultation
  • Newsletter
  • Deutsch Deutsch German de
  • English English English en
  • Italiano Italiano Italian it
  • Nederlands Nederlands Dutch nl
Greenbone
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for Your Sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap & Lifecycle
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
  • Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for your sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap and Lifecycle
    • Request IT Security
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
    • Newsletter
  • Our Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • German
  • English
  • Italian
  • Dutch
Joseph Lee

SessionReaper: Account Takeover and Unauthenticated RCE in Magento and Adobe Commerce

Blog
!

Update

February 2nd, 2026

Reports from multiple security vendors have confirmed that CVE-2025-54236 (aka “SessionReaper”) has transitioned to active, real-world exploitation. A full technical write-up has been published and the Sansec Threat Research team, who originally disclosed CVE-2025-54236, claims that Proof-of-concept (PoC) exploits are circulating.

On October 22nd 2025, the Sansec Threat Research Team reported blocking live exploitation attempts, including PHP web shell deployments, and warned that more than 60% of Magento stores remained unpatched at the time. Soon after, the Akamai Security Intelligence Group reported hundreds of exploitation attempts targeting over 130 distinct hosts within their cloud infrastructure.

CVE-2025-54236 (CVSS 9.1) is an account-takeover flaw that may result in unauthenticated remote code execution (RCE) under certain conditions. Dubbed “SessionReaper”, CVE-2025-54236 affects Adobe Commerce, Adobe Commerce B2B, and Magento Open Source web applications. The root cause is Improper Input Validation [CWE-20] in the REST API. Adobe’s official advisory describes the issue as a security feature bypass although no further explanation is provided.

Blog Banner

The exploit chain for CVE-2025-54236 starts with a nested deserialization vulnerability [CWE-502] and results in a malicious session for a customer account. Security researchers from Sansec claim that Remote Code Execution (RCE) is possible when file-based session storage is used and that other attack chains may also exist, such as RCE via Redis or database session storage. Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236 via the Hackerone platform.

A full technical description, PoC, or full exploit kits are not yet publicly available. However, France’s CERT-FR has issued a public advisory for the vulnerability. Greenbone’s OPENVAS ENTERPRISE FEED already includes a remote banner check to identify vulnerable systems and verify patch status.

Risk Assessment for CVE-2025-54236 (aka “SessionReaper”)

Magento Open Source (released in 2008) and its commercial counterpart Adobe Commerce are widely used e-commerce platforms. As of 2024, they power in the order of 200-250,000 live/active stores, putting Magento among the leading global e-commerce platforms. This wide usage makes it an attractive target for attackers.

Previous vulnerabilities in Magento have been leveraged in mass exploitation attacks within hours [1][2][3][4] of their disclosure. In this case, Adobe’s patch was accidentally leaked publicly, giving attackers a head start on developing exploit code. If exploited, attackers could install malware [T1105] in an attempt to covertly maintain persistent access [TA0003] to the victim’s infrastructure. This could lead to future attacks, such as stealing payment card information to make fraudulent transactions [T1657], stealing other sensitive information [TA0010], conducting phishing [T1566] attacks against customers of the website, or deploying ransomware against the victim [T1486].

Mitigating CVE-2025-54236 (aka “SessionReaper”)

CVE-2025-54236 affects Adobe Commerce, Adobe Commerce B2B, and Magento Open Source across multiple versions, as well as the Custom Attributes Serializable module on all platforms and deployment methods [1]. However, Adobe’s own knowledge base seems to provide contradictory information, stating that the Custom Attributes Serializable module versions 0.1.0 – 0.4.0 are affected, but also advises upgrading the module to version 0.4.0 or higher.

Users are advised to install the hotfix patch provided by Adobe or update to the latest version immediately to protect their online business operations and customers. Users should also conduct a thorough assessment to determine whether their instance has already been compromised and if found, remove the infection. Adobe has also released a developer guide to help users adjust to any necessary changes in the web application’s REST API. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable systems.

Summary

CVE-2025-54236 poses a critical risk to Magento and Adobe Commerce users. For attackers, the flaw enables account takeover and potentially unauthenticated RCE on a victim’s infrastructure. Defenders should identify vulnerable systems and patch them immediately. Greenbone’s OPENVAS ENTERPRISE FEED can help to identify vulnerable web applications and verify remediation status. IT security teams should also audit their systems to detect potential breaches and remove infections if any indicators of compromise (IoC) are found.

Contact Test Now Buy Here Back to Overview

Joseph Lee
Joseph Lee

Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.

He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.

Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.

LinkedIn

17. September 2025/by Joseph Lee
Share this entry
  • Share on LinkedIn
  • Share by Mail
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Joseph Lee https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Joseph Lee2025-09-17 14:41:512026-02-02 12:43:44SessionReaper: Account Takeover and Unauthenticated RCE in Magento and Adobe Commerce

Search

Search Search

Archive

  • 2026
  • 2025

Newsletter

Subscribe Now

OPENVAS BASIC

Our entry-level enterprise product

Test 14 Days Free of Charge

Products & Solutions

  • OPENVAS PRODUCTS
  • OPENVAS SECURITY INTELLIGENCE
  • OPENVAS SCAN
  • OPENVAS BASIC
  • OPENVAS FREE
  • OPENVAS AI
ISO9001-EN

Service & Support

  • Technical Support
  • FAQ
  • Documents
  • Warranty
  • Open Source Vulnerability Management
  • Cyber Resilience Act
ISO27001-EN

About us

  • About Greenbone
  • Partners
  • MSSP
  • License information
  • Privacy Statement
  • Terms & Conditions
ISO14001-EN

Contact with us

  • Contact
  • Newsletter
  • Media Contact
  • Careers
  • Security Response
  • Imprint
  • Grounding Page

Community

  • Community Portal
  • Community Forum
© Copyright - Greenbone AG 2020-2026
  • Link to LinkedIn
Link to: August 2025 Threat Report: Fast-Moving, High-Risk Vulnerabilities Link to: August 2025 Threat Report: Fast-Moving, High-Risk Vulnerabilities August 2025 Threat Report: Fast-Moving, High-Risk Vulnerabilities Link to: Change in the Greenbone AG Executive Board Link to: Change in the Greenbone AG Executive Board Change in the Greenbone AG Executive Board
Scroll to top Scroll to top Scroll to top
Contact
Request IT Security Contact Us Subscribe to Newsletter Follow on LinkedIn